Trust (and by extension, privacy) is a sensitive issue. Especially when it comes to sharing personal information. This leads to questions such as:
- Do you trust organisations you are sharing your data with?
- Do you know how your data is being used?
- Do you know what data is being collected from you and how it is being used?
- Do you know who can access data that you have generated?
In most cases, people will answer “no” or “I don’t know” to these questions. I already wrote a piece about this in 2019 titled “To trust or not to trust” before COVID-19 hit and further increased concerns and calls for security and privacy. Discouragingly enough, most of what I wrote almost two years ago still holds true, and there is still limited clarity or at least a feeling of control, in regard to personal data that is being shared with or between organisations.
Nevertheless, there have been updates in this space. The most recent update is from 4 June 2021, where the European Commission released two sets of standard contractual clauses:
- For use between controllers and processors; and
- For the transfer of personal data to third countries.
As these clauses are rolled out and proper implementation and enforcement is established, the above questions should be addressed. Or, if not, there should at least be clearer answers to dissipate concerns about privacy and the security of data.
Now, for more clarity on the two clauses. These two contractual clauses reflect new requirements under the General Data Protection Regulation (GDPR) and take into account the Schrems II judgement of the Court of Justice. In plain English, this means that the two tools ensure a high level of data protection for citizens. Moreover, they will offer more legal predictability to EU businesses and help Small- and Medium-sized Enterprises (SMEs) to ensure compliance with requirements for safe data transfers, whilst allowing data to move freely across borders – EU and international – without legal barriers.
This is still quite fresh, so we need to wait and see how it evolves. This, to me at least, is a good next step regarding data sharing and security beyond the omnipresent GDPR.